Books

The Worrisome Threat of DNS DDoS Amplification Attacks

This article was originally published in the ENISA Quarterly, 6 June 2006. It is no longer available from ENISA. (Reproduction is authorised provided the source is acknowledged)

Between December 2005 and March 2006, some DNS (Domain Name System) root and Top Level Domain (TLD) name server operators were subjected to numerous denial of service (DoS) attacks. These attacks seriously disrupt name resolution service by directing an overwhelming amount of traffic at the communications links that name server operators use to provide service. This ’congestion‘ makes it difficult or impossible for operators to provide the function of identifying the Internet address associated with the domain name of any of the registered names in the domain under attack.

The targets for such attacks are not limited to root and TLD name servers; major financial and eCommerce name servers may be even more vulnerable, and the consequent disruption to name resolution in such focused attacks have grave economic consequences. Law enforcement agencies and governments worldwide should treat these incidents as serious attacks, deliberately launched against very high profile targets, by parties who may be politically or financially motivated.

What is a DNS DDoS Amplification Attack?

The attacks against root and TLD name servers are variants of what security experts call a DNS DDoS amplification attack. The attack can be best explained by examining the elements involved in the attack. The attack targets a specific service, the DNS, and attempts to prevent or deny access to that service. A DoS is an attack whose objective is to exhaust the resources of a target host (memory, processing capabilities, or Internet bandwidth). The target can be an individual host, such as a DNS name server, or an entire name server infrastructure of a country-specific or generic TLD (com, net, org, biz). To launch an effective attack against large scale name server operations, an attacker requires a virtual army of hosts that can, at his command, simultaneously attack a specified name service target. He must thus distribute his attack.

Attack on all fronts

A distributed denial of service attack (DDoS), as the name suggests, is a virtual ‘attack on all fronts‘. Because so many PCs, both personal and business, are poorly secured, such armies are unfortunately simple to recruit. By creating and sending an e-mail message containing a malicious programme, for example, an attacker can infect hundreds (possibly thousands) of PCs that are not adequately protected against infection. Such PCs are whimsically known as ‘zombies’.

To form a DDoS army, the infecting programme is written to allow the attacker to remotely control and direct to initiate a DoS attack at a specified target, at a specified time. The DNS DDoS attacks and other, similar DDoS attacks harshly illustrate that attackers can gather sufficiently large zombie armies to flood even the Gigabit per second access circuits used by TLD name server operators.

Turn up the Volume

Even when large armies of attacking hosts are employed, an attacker will try to maximise the volume of traffic that can be directed at a target over the shortest period of time. One method of increasing or amplifying the traffic volume is to add an intermediate set of machines into the attack army by making use of public DNS servers and having these public DNS servers amplify the size of the messages coming from the zombies. In the DNS DDoS attacks, the attacker composes a DNS request message of approximately 60 bytes and causes the delivery of a response message of approximately 4,000 bytes to the target. This significantly increases the volume of traffic the target will receive, and thus accelerates the rate at which the target's resources will be depleted. Amplification of this dramatic a scale assures that an unprepared target cannot deploy countermeasures before the attack succeeds. A message of 4,000 bytes is also so large that it is almost certain to require fragmentation into multiple, smaller IP packets along the path to the target. Thus, in addition to increasing traffic volume at the target, the attack will increase the processing load by forcing message reassembly.

The anatomy of this kind of DDoS attack is illustrated and explained here.

Deception in DNS DDoS Attacks

During a DDoS attack, each attacking zombie host uses the targeted name server's Internet address as its originating or source IP address, rather than its own. The effect of masquerading or spoofing the Internet address of the targeted host in a DNS DDoS attack is that responses to thousands of DNS requests will be delivered to the targeted name server operator rather than being returned to scores of spoofing zombie hosts. This is but one element of the extensive deception techniques employed in the incidents observed. DNS DDoS attacks additionally exploit name servers that allow open recursion, where a name server processes a DNS request on behalf of a PC by asking the authoritative name server, i.e., the definitive source of domain name information for a DNS name record. Recursion is typically provided for a trusted or closed set of clients, but generally, name servers can perform ’open‘ recursion for any host and, while estimates vary, it is possible that more than one million name servers worldwide provide open recursion.

Mounting an Immediate Defense against DNS DDoS Attacks

Only a handful of countermeasures are available to operators when they are targeted for a DNS DDoS attack. Note that, while the zombies employ IP spoofing, the open recursive servers do not, so the name server operators can readily identify the open recursive servers the zombies use and use this information to limit traffic from these sources, or to block traffic from these open recursive servers entirely. For the short term, name server operators can discard DNS responses that are suspiciously large. DDoS detection and mitigation techniques already implemented in commercial intrusion prevention systems and firewalls will undoubtedly be expanded to test for traffic patterns and arrival rates indicative of the types of DNS DDoS attacks that have already been executed.

The problem with all these efforts is that, while they reduce the impact to the name servers under attack, they do not quash the attack sources, and they do not reduce the load on networks and switches along the paths between the targeted name server and (all of) the open recursive servers. An undesirable consequence of temporarily blocking all traffic from open recursive servers is that legitimate attempts to resolve names through these servers become the ‘baby thrown out with the bath water‘. Long-term ’blacklisting‘ of open recursive servers will also hamper organisations that run name servers in this mode so that mobile employees can resolve from a ’trusted‘ name server.

Collaborative Efforts Can Thwart DNS DDoS Attacks

Security advisory groups such as CERTs, SANS and ICANN’s Security and Stability Advisory Committee (SSAC) recommend widespread adoption of two measures to thwart DNS DDoS attacks. First, eliminate gratuitous and unintentional configurations of open recursive name services. By configuring name servers to only accept recursive DNS from trusted sources except where absolutely necessary, the community at large can greatly reduce the attack vectors available. (Organisations that have legitimate needs for open recursive name service should do so as responsibly as possible by implementing the DDoS detection and mitigation measures mentioned above.)

The second and most important measure is to implement source IP address validation on a broad scale. By checking that the source address in every IP packet is a validly assigned address prior to permitting traffic to enter the Internet core over any communications access link from any ’edge‘ device (PC, router, switch, or firewall), a wide range of IP address-based impersonation attacks can be eliminated or greatly reduced.

Currently, source IP address validation is not widely adopted. Critics claim that it adds administrative overhead and adversely affects performance. However, DDoS attacks are growing in frequency and efficiency, and the community at large should not conclude that DNS DDoS attacks against high profile name servers are the clearest and most present danger. In Europe, the RIPE community has established a task force to promote proper measures to prevent the use of an illegal address.

Public service providers and private network operators are increasingly looking to the Internet as an efficient means of deploying telephony services. Voice over IP service is currently as vulnerable to DDoS attacks as the DNS. Today, responses to terrorist incidents and natural catastrophes are dependent on the availability of cellular and PSTN networks. Telecommunications networks have been validating telephone numbers and addresses on ingress traffic for decades. It is time for IP networks to follow suit.